SEC’s Recent Statements and Initiatives On Cybersecurity- Today is the continuation in a Lawcast series on the SEC’s recent statements and initiatives on Cybersecurity.
On September 20, 2017, SEC Chair Jay Clayton issued a statement on cybersecurity that included the astonishing revelation that the SEC Edgar system had been hacked. Sometime in 2016, a software vulnerability in the test filing component of the EDGAR system was hacked. The opening was patched once discovered, but the hackers were able to obtain information through test filings that was used to make illicit trading gains. The hackers also obtained personal information, including names, dates of birth and Social Security numbers of at least two individuals. Chair Clayton was not informed of the hacking until August 2017.

The test filing system of EDGAR allows a company to make a non-public test filing of a registration statement or report (or any document that can be filed through the EDGAR system) to be sure the actual filing will be processed correctly. The test filing is usually made hours before the actual filing, but it can be made up to days in advance. By having access to material information in filings prior to the marketplace, the hackers could trade on such information and make illegal profits.

When the SEC first announced the hacking on September 20, 2017, it stated that no personal information had been compromised but in a second press release issued on October 2, 2017, the SEC confirmed that forensic data analysis uncovered further depths to the intrusion. In the October 2 press release, Chair Clayton outlined efforts to review and remediate the 2016 hacking, including:

(i) A review of the 2016 EDGAR intrusion by the Office of Inspector General;
(ii) An investigation by the Division of Enforcement in the potential illicit trading resulting from the 2016 EDGAR intrusion (which seems to indicate that the perpetrator has been uncovered). Chair Clayton was first informed of the hacking in connection with this enforcement investigation;
(iii) A focused review and appropriate uplift of the EDGAR system with a concentration on cybersecurity matters, including its security systems, processes and controls. This review will include assessing the types of data that run through the EDGAR system and whether EDGAR is the appropriate mechanism to funnel such data;
(iv) A focused review and appropriate uplift of all systems that include the identification of sensitive data or personally identifiable information. This review will include assessing the types of data the SEC keeps and the related security systems, processes and control; and
(v) The SEC’s internal review of the 2016 EDGAR hacking to determine, among other things, the procedures followed in response to the intrusion. This review is being overseen by the Office of the General Counsel and includes an interdisciplinary investigative team including outside technology consultants. Related to this, the SEC will enhance protocols for cybersecurity incidents.

In furtherance of this review and plan, Chair Clayton authorized the immediate hiring of additional staff and outside technology consultants to protect the security of the SEC’s network, systems and data.